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DETAILED ACTION 
Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

Claims 1-20 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Shanklin et al. (US 6,578,147). 

Claim 1 

Shanklin discloses a method for rapid intrusion detection for network communication 
comprising the steps of: 

receiving packets of network data in a network processor coupled to a network 

fabric (column 3, lines 10-18: "receives and sends data in "packets" which are switched 

between network segments by routed); 

forwarding routed network data to the network fabric; and coupling selected data from 
the network data to a parallel pattern detection engine (PPDE), for comparing the 
selected data in parallel to M sequences of pattern data stored in the PPDE and 
generating a match output signal when at least one of the M sequences of pattern data 
compares to a portion of the selected data (column 2, lines 59 - column 3, line 3: "each 
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sensor is identical to the other sensors and is capable of performing the same intrusion 
detection processing. The sensors operate in parallel, and analyze packets to determine 
if any packet or series of packets has a signature that matches on of a collection of 
known intrusion signature.."). 

Claim 2 

Shanklin discloses the method of claim 1, further comprising the steps of: storing N 
intrusion signatures in the M PUs sequences of pattern data with corresponding 
identification (ID) data used to identify which of the N intrusion signatures is detected 
(column 6, lines 25-46: "each senor has a unique IP address" and column 1 , lines 50- 
60: "one known pattern of unauthorized access is associated with "IP spoofing" whereby 
an intruder sends a message is from a trusted port. To engage in IP spoofing, the 
intruder must first use a variety of techniques to find a IP address of a trusted port and 
must then modify the packet headers so that it appears that the packets are coming 
from that port. This activity result in a signature that can be detected when matched to a 
previously stored signature of the same activity"); and storing action code indicating 
action to take in response to detecting a particular one of the N intrusion signatures 
("column 4, lines 54-61: "sensor contains a detection engine... the senor also analyzes 
each packet's relationship to adjacent and related packets in the data stream and if the 
analysis indicates misuse the senor may act autonomously to take action, such as 
disconnection.."). 
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Claim 3 

Shanklin discloses the method of claim 2, further comprising the steps of: 
analyzing the packets of network data for validity thereby generating valid 
packets of network data as the selected data (column 6, lines 9-24: "session analyzer 
which stores information used to detect signatures from different packets in the same 
session... For example, a first sensor might receive a packet indicating a signature that 
would be comprised of different packets from the same session..."); 
comparing the selected data to the store N intrusion signatures and generating, at 
network data speed, a pattern compare signal and particular ID data when a particular 
one of the N intrusion signatures is detected (column 2, lines 59 - column 3, lines 1-3: " 
sensors operate in parallel and analyze packets to determine if any packet or seris of 
packets has a signature that matches on of a collection of known intrusion signatures... 
invention provides an easily scalable solution to providing an intrusion detection system 
whose ability to perform signature analysis can keep up with high speed networks; 
column 7, lines 29-39) ; and 

executing the action code corresponding to the particular one of the N intrusion 
signatures detected ("column 4, lines 54-61 : "sensor contains a detection engine... the 
senor also analyzes each packet's relationship to adjacent and related packets in the 
data stream and if the analysis indicates misuse the senor may act autonomously to 
take action, such as disconnection.."). 
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Claim 4 

Shanklin discloses the method of claim 3, wherein the PPDE comprises: 
an input/output (I/O) interface for coupling data into and out of the PPDE; 
M' processing units (PUs), each of the M PUs having compare circuitry for 
comparing each of the sequence of input data to pattern data stored in each of the M 
PUs and generating a compare output, wherein an address pointer selecting the pattern 
data in each of the M PUs is modified in response to a logic state of the compare output 
and an operation code stored with the pattern data; 

an input bus for coupling the sequence of input data to each of the M PUs in parallel; 
an output bus coupled to the I/O interface for sending output data to the I/O interface; 
control circuitry coupled to the I/O interface and coupling control data on a control data 
bus and identification (ID) on an ID bus to each of the M processing units; and 
ID selection circuitry for selecting a match ID from ID data identifying the M PUs in 
response to a pattern match signal and match mode data, wherein the match ID and 
match data corresponding to the match ID are saved in a temporary register as the 
output data (Figure 4 and column 7, lines 1-27: "a switch having internal intrusion 
detection sensors., packets are forwarded by switch based on destination address and 
the operation of switch is such that its control unit ensures that only packets having a 
certain address are output from the port..."). 
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Claim 5 

Shanklin discloses the method of claim 3, wherein the PPDE further comprises cascade 
circuitry coupled from each of the M PUs to one or more adjacent PUs within the M PUs 
for selectively coupling chain data between one or more groups of two or more adjacent 
PUs selected from the M PUs in response to the control data ( Figure 4, column 4, lines 
54-61: "sensor contains a detection engine, which examines each packet incoming to 
the senor including its header and payload. The sensor also analyzes each packet's 
relationship to adjacent and related packets in the data stream..." column 4, lines 54-61: 
"sensor contains a detection engine... the senor also analyzes each packet's 
relationship to adjacent and related packets in the data stream and if the analysis 
indicates misuse the senor may act autonomously to take action, such as 
disconnection.."). 

Claims 6-20 

The system and method claims are one of the same therefore rejected for the same 
reason as the method claims above. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Milliken (US 2003/01 15485 A1 ) teaches hash-based systems and methods for 
detecting, preventing and tracing network worms and viruses. 

Buer et al. (US 2004/0143734 A1)'teaches data path security processing. 
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Buer et al. (US 2004/0139313 A1) teaches tagging mechanism for data path 
security processing. 

Stephenson (US 2005/0076236 A1 ) teaches method and system for responding 
to network intrusion. 

Oh et al. (US 2005/0125551 A1 ) teaches high-speed pattern storing and 
matching method. 

Lingafelt et al. (US 2004/0199790 A1) teaches use of a programmable network 
processor to observe a flow of packets. 

Ye et al. (US 6, 907, 436 B2) teaches method for classifying data using clustering 
and classification algorithm supervised. 

Kreibich, Christian. Honey-Creating Intrusion Detection Signatures Using 
Honeypots. 2003 Oct. 31. http://www.sigcomm.org/HotNets-ll/papers/honeycomb.pdf. 

Sommer, Robin. Enhancing Byte-Level Network Intrusion Detection Signatures 
with Context. 2003 Aug 18. http://www.icir.org/vern/papers/sig-ccs03.pdf. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kari L. Schmidt whose telephone number is 571-270- 
1385. The examiner can normally be reached on Monday - Friday: 7:30am - 5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-91 99 (IN USA OR CANADA) or 571-272-1000. ^ 
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